Tuesday, August 19, 2008

Department of Transport admits to breaking security standards?

According to information published under the Freedom of Information Act, the Department of Transport has had a total of 7 laptop stolen or lost in the last 12 months (4 stolen, 3 lost). What is interesting in the DfT's response though is that it says,

Since January 2008, all laptops have been encrypted to HMG standard.

The implication being that prior to January 2008 no laptops were encrypted to HMG standard even though the standard was in place. A rare admission that they broke the rules surely?

Amusingly they also responded to requests about the use of iPods and removable media devices on DfT equipment. Apparently users are free to plugin their iPods because installing iTunes is blocked making it all rather pointless. However, when also asked if staff were banned from using USB removable media the response was,

No. Staff can use USB storage devices (such as memory sticks) connected to a workplace computer but only in circumstances where no protected personal data, as defined in the Cabinet Office Data Handling review is involved.

So it's only when "protected personal data" is involved that they can't. If it's circusmtances where classified material exists it's OK to use a USB drive is it?

"Since January 2008, all laptops have been encrypted to HMG standard."

"The implication being that prior to January 2008 no laptops were encrypted to HMG standard even though the standard was in place. A rare admission that they broke the rules surely?"

Not surely.

Firstly, a standard must be in place before anybody can comply with it. One cannot comply with a standard before it is issued since one doesn't know what it says, and often government departments have thousands of users and computers, so planning can take time.

Secondly, you cannot infer that "prior to January 2008, no laptops were encrypted", since the message just reads that all laptops are encrypted since January 2008. It is possible that 99% of laptops were encrypted in December 2007.

Thirdly, you cannot assert that they broke the rules if you don't know what the rules are. Perhaps the rules are that all laptops must be encrypted from January 2008, in which case they broke no rules.

I'm all in favour of the government being held to account, god knows they're far too sloppy in every way, but please be careful with your logic!